Related threats

We’ve seen NetSupport Manager leveraged as both a primary payload in its own right, as well as a follow-on payload delivered by other threats in our top 10. Both Scarlet Goldfinch—which landed in third—and LummaC2—coming in sixth—used NetSupport Manager as a primary or follow-on payload.

Earlier in 2024 we saw FIN7 delivering NetSupport Manager in MSIX campaigns. Another reason for NetSupport’s placing so high this year was its use as a payload in paste-and-run campaigns. In previous years we’ve seen it delivered alongside other threats as well, like FakeSG, SocGholish, and Qbot.

Since adversaries have delivered NetSupport Manager as a part of many campaigns, initial delivery methods vary widely. Malicious NetSupport Manager can be the result of phishing campaigns, fake updates, fake CAPTCHA lures, and more.

Breaking down the parts

NetSupport Manager has several components:

• NetSupport Manager Client is the component that is installed on systems the adversary wants to control. When we refer to NetSupport Manager, this is typically the component we are referring to.
• NetSupport Manager Control is the component used on the controlling workstation. This component allows adversaries to upload and execute files.
• NetSupport Manager Deploy is a component on the controlling workstation that creates some software packaging for deployment, though it does not play an active role after the client is installed.

Legitimate NetSupport installs are often found in the Program Files directory, using the standard filename client32.exe. Suspect instances may be found by looking for client32.exe running from a non-standard directory, such as a user’s Downloads or Roaming folder.

It’s not unusual for adversaries to rename the NetSupport Manager Client file, so looking for binaries with the internal name client32 making network connections to netsupportsoftware[.]com is another good indicator of suspicious NetSupport Manager use.

Having the ability to collect and inspect binary signature metadata and binary naming conventions and understanding common and uncommon installation paths for RMM tools like NetSupport Manager are the basic prerequisites for developing an effective detection strategy. Of course, the sheer volume of RMM tools available to adversaries, let alone abused by them, renders confident detection coverage a tall order.

The best generic advice for mitigating the risk posed by NetSupport Manager is to create robust allow/blocklist policies and strictly adhere to them.

NetSupport Manager execution is often achieved using PowerShell. The most effective protection against PowerShell tradecraft is through the implementation and enforcement of a strong Windows Defender Application Control (WDAC) policy, which places PowerShell into Constrained Language mode, mitigating a wide array of PowerShell tradecraft.

Detection opportunity: NetSupport running from an unexpected directory

Under normal circumstances, you should expect NetSupport Manager to run from the programfiles directory. If you find NetSupport Manager—often identifiable as client32.exe—running outside the programfiles directory, particularly from the programdata directory, then it’s worth investigating. In instances where an adversary like FIN7 delivered NetSupport Manager as a follow-on payload, it is frequently observed running from a suspicious location like programdata or a user’s directory.

Surveyor

You can search your environment for the presence of unsanctioned RMM tools, including NetSupport Manager, using our open source baselining tool Surveyor.